INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.4' (ECDSA) to the list of known hosts. syzkaller login: [ 30.896428] IPVS: ftp: loaded support on port[0] = 21 [ 30.896433] IPVS: ftp: loaded support on port[0] = 21 [ 30.916250] IPVS: ftp: loaded support on port[0] = 21 [ 30.918599] IPVS: ftp: loaded support on port[0] = 21 [ 30.924444] IPVS: ftp: loaded support on port[0] = 21 [ 30.928854] IPVS: ftp: loaded support on port[0] = 21 [ 30.939808] IPVS: ftp: loaded support on port[0] = 21 [ 30.946152] IPVS: ftp: loaded support on port[0] = 21 executing program [ 31.069646] XFS (loop2): Invalid superblock magic number executing program executing program executing program executing program executing program executing program executing program executing program [ 31.274387] XFS (loop4): Invalid superblock magic number [ 31.274393] XFS (loop1): Invalid superblock magic number [ 31.301141] ================================================================== [ 31.308707] BUG: KASAN: use-after-free in radix_tree_next_chunk+0xf9f/0xfb0 [ 31.315814] Read of size 4 at addr ffff8801d9344f48 by task syzkaller119703/4552 [ 31.323341] [ 31.324985] CPU: 0 PID: 4552 Comm: syzkaller119703 Not tainted 4.16.0+ #4 [ 31.331912] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.341272] Call Trace: [ 31.343871] dump_stack+0x1b9/0x294 [ 31.347513] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.352709] ? printk+0x9e/0xba [ 31.355998] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 31.360771] ? kasan_check_write+0x14/0x20 [ 31.365016] print_address_description+0x6c/0x20b [ 31.366344] XFS (loop3): Invalid superblock magic number [ 31.369861] ? radix_tree_next_chunk+0xf9f/0xfb0 [ 31.380066] kasan_report.cold.7+0x242/0x2fe [ 31.384486] __asan_report_load4_noabort+0x14/0x20 [ 31.389514] radix_tree_next_chunk+0xf9f/0xfb0 [ 31.394106] ? debug_check_no_locks_freed+0x310/0x310 [ 31.399309] ? __lock_acquire+0x7f5/0x5140 [ 31.403554] ? __lock_acquire+0x7f5/0x5140 [ 31.407797] ? graph_lock+0x170/0x170 [ 31.411609] ? idr_preload+0x40/0x40 [ 31.415336] ? debug_check_no_locks_freed+0x310/0x310 [ 31.420623] ? debug_check_no_locks_freed+0x310/0x310 [ 31.425845] ? print_usage_bug+0xc0/0xc0 [ 31.429926] ? flush_plug_callbacks+0x553/0x7f0 [ 31.434610] ? print_usage_bug+0xc0/0xc0 [ 31.438693] ? bio_cur_bytes+0x1e0/0x1e0 [ 31.442770] ? mark_held_locks+0xc9/0x160 [ 31.446927] ? print_usage_bug+0xc0/0xc0 [ 31.451003] radix_tree_gang_lookup_tag+0x3d4/0x5f0 [ 31.456040] ? radix_tree_gang_lookup_slot+0x420/0x420 [ 31.461327] ? xfs_perag_get+0x600/0x600 [ 31.465411] ? kasan_check_read+0x11/0x20 [ 31.469569] ? rcu_is_watching+0x85/0x140 [ 31.473722] ? find_held_lock+0x36/0x1c0 [ 31.477822] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 31.478842] XFS (loop6): Invalid superblock magic number [ 31.483024] xfs_perag_get_tag+0x12d/0x7c0 [ 31.483042] ? xfs_perag_get+0x600/0x600 [ 31.483058] ? rcu_is_watching+0x85/0x140 [ 31.483074] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 31.483098] ? list_lru_count_one+0x27f/0x440 [ 31.483116] xfs_reclaim_inodes_count+0x82/0xb0 [ 31.490118] XFS (loop5): Invalid superblock magic number [ 31.492805] xfs_fs_nr_cached_objects+0x37/0x50 [ 31.492821] ? xfs_fs_free_cached_objects+0x80/0x80 [ 31.492835] super_cache_count+0x98/0x280 [ 31.492855] shrink_slab.part.39+0x330/0xf90 [ 31.492878] ? kswapd_cpu_online+0x1e0/0x1e0 [ 31.499807] XFS (loop7): Invalid superblock magic number [ 31.501063] ? shrink_active_list+0x17f0/0x17f0 [ 31.501081] ? kasan_check_read+0x11/0x20 [ 31.501095] ? rcu_is_watching+0x85/0x140 [ 31.501129] shrink_slab+0xa1/0xc0 [ 31.510550] XFS (loop2): Invalid superblock magic number [ 31.510768] shrink_node+0x4f2/0x1740 [ 31.516536] XFS (loop0): Invalid superblock magic number [ 31.520868] ? shrink_node_memcg+0x1910/0x1910 [ 31.520889] ? kvm_clock_read+0x25/0x30 [ 31.520906] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 31.520919] ? ktime_get+0x2d9/0x430 [ 31.520935] ? do_gettimeofday+0x170/0x170 [ 31.603458] ? graph_lock+0x170/0x170 [ 31.607250] ? print_usage_bug+0xc0/0xc0 [ 31.611301] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.616821] do_try_to_free_pages+0x3c9/0x1240 [ 31.621567] ? shrink_node+0x1740/0x1740 [ 31.625611] ? __lock_is_held+0xb5/0x140 [ 31.629664] try_to_free_mem_cgroup_pages+0x475/0xc50 [ 31.634858] ? pointer_string+0x1a0/0x1a0 [ 31.638998] ? try_to_free_pages+0xb30/0xb30 [ 31.643395] ? mutex_trylock+0x2a0/0x2a0 [ 31.647448] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 31.652661] ? memparse+0x168/0x1c0 [ 31.656277] ? get_options+0x360/0x360 [ 31.660155] ? kasan_kmalloc+0xc4/0xe0 [ 31.664038] ? __kmalloc+0x14e/0x760 [ 31.667737] ? __vfs_write+0x10b/0x880 [ 31.671613] memory_high_write+0x26e/0x2f0 [ 31.675846] ? mem_cgroup_css_released+0x140/0x140 [ 31.680767] ? graph_lock+0x170/0x170 [ 31.684547] ? kernfs_fop_write+0x227/0x480 [ 31.688854] ? lock_release+0xa10/0xa10 [ 31.692813] cgroup_file_write+0x317/0x820 [ 31.697038] ? mem_cgroup_css_released+0x140/0x140 [ 31.701966] ? init_and_link_css+0x880/0x880 [ 31.706365] ? __lock_is_held+0xb5/0x140 [ 31.710412] ? init_and_link_css+0x880/0x880 [ 31.714803] kernfs_fop_write+0x2ba/0x480 [ 31.718932] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 31.723499] __vfs_write+0x10b/0x880 [ 31.727193] ? kernfs_fop_open+0x1000/0x1000 [ 31.731584] ? kernel_read+0x120/0x120 [ 31.735457] ? __lock_is_held+0xb5/0x140 [ 31.739505] ? kasan_check_read+0x11/0x20 [ 31.743657] ? rcu_read_lock_sched_held+0x108/0x120 [ 31.748661] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.754179] ? __sb_start_write+0x17f/0x300 [ 31.758487] vfs_write+0x1f8/0x560 [ 31.762019] ksys_write+0xf9/0x250 [ 31.765549] ? SyS_read+0x30/0x30 [ 31.768986] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 31.773821] ? ksys_ioctl+0x81/0xd0 [ 31.777441] SyS_write+0x24/0x30 [ 31.780797] ? ksys_write+0x250/0x250 [ 31.784589] do_syscall_64+0x29e/0x9d0 [ 31.788468] ? vmalloc_sync_all+0x30/0x30 [ 31.792610] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 31.797446] ? syscall_return_slowpath+0x5c0/0x5c0 [ 31.802356] ? syscall_return_slowpath+0x30f/0x5c0 [ 31.807269] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 31.812617] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.817447] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 31.822615] RIP: 0033:0x4428f9 [ 31.825787] RSP: 002b:00007ffe0bfab5c8 EFLAGS: 00000217 ORIG_RAX: 0000000000000001 [ 31.833476] RAX: ffffffffffffffda RBX: 0000000000000016 RCX: 00000000004428f9 [ 31.840733] RDX: 0000000000000001 RSI: 0000000020000000 RDI: 0000000000000004 [ 31.847989] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 [ 31.855253] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000000004 [ 31.862511] R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffe0bfab708 [ 31.869768] [ 31.871376] Allocated by task 4550: [ 31.874993] save_stack+0x43/0xd0 [ 31.878443] kasan_kmalloc+0xc4/0xe0 [ 31.882143] kmem_cache_alloc_trace+0x152/0x780 [ 31.886798] xfs_fs_fill_super+0xda/0x1480 [ 31.891018] mount_bdev+0x30c/0x3e0 [ 31.894643] xfs_fs_mount+0x34/0x40 [ 31.898261] mount_fs+0xae/0x328 [ 31.901614] vfs_kern_mount.part.34+0xd4/0x4d0 [ 31.906176] do_mount+0x564/0x3070 [ 31.909694] ksys_mount+0x12d/0x140 [ 31.913296] SyS_mount+0x35/0x50 [ 31.916654] do_syscall_64+0x29e/0x9d0 [ 31.920532] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 31.925693] [ 31.927306] Freed by task 4550: [ 31.930593] save_stack+0x43/0xd0 [ 31.934046] __kasan_slab_free+0x11a/0x170 [ 31.938258] kasan_slab_free+0xe/0x10 [ 31.942046] kfree+0xd9/0x260 [ 31.945150] xfs_fs_fill_super+0x66a/0x1480 [ 31.949460] mount_bdev+0x30c/0x3e0 [ 31.953258] xfs_fs_mount+0x34/0x40 [ 31.956871] mount_fs+0xae/0x328 [ 31.960215] vfs_kern_mount.part.34+0xd4/0x4d0 [ 31.964786] do_mount+0x564/0x3070 [ 31.968304] ksys_mount+0x12d/0x140 [ 31.971908] SyS_mount+0x35/0x50 [ 31.975277] do_syscall_64+0x29e/0x9d0 [ 31.979154] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 31.984322] [ 31.985929] The buggy address belongs to the object at ffff8801d9344b40 [ 31.985929] which belongs to the cache kmalloc-4096 of size 4096 [ 31.998740] The buggy address is located 1032 bytes inside of [ 31.998740] 4096-byte region [ffff8801d9344b40, ffff8801d9345b40) [ 32.010778] The buggy address belongs to the page: [ 32.015693] page:ffffea000764d100 count:1 mapcount:0 mapping:ffff8801d9344b40 index:0x0 compound_mapcount: 0 [ 32.025646] flags: 0x2fffc0000008100(slab|head) [ 32.030296] raw: 02fffc0000008100 ffff8801d9344b40 0000000000000000 0000000100000001 [ 32.038164] raw: ffffea00073d68a0 ffffea0007644920 ffff8801dac00dc0 0000000000000000 [ 32.046023] page dumped because: kasan: bad access detected [ 32.051713] [ 32.053319] Memory state around the buggy address: [ 32.058227] ffff8801d9344e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.065576] ffff8801d9344e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.072926] >ffff8801d9344f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.080262] ^ [ 32.085949] ffff8801d9344f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.093290] ffff8801d9345000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.100626] ================================================================== [ 32.107963] Disabling lock debugging due to kernel taint [ 32.113573] Kernel panic - not syncing: panic_on_warn set ... [ 32.113573] [ 32.120951] CPU: 0 PID: 4552 Comm: syzkaller119703 Tainted: G B 4.16.0+ #4 [ 32.129256] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.138589] Call Trace: [ 32.141168] dump_stack+0x1b9/0x294 [ 32.145355] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.150529] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.155264] ? radix_tree_next_chunk+0xf00/0xfb0 [ 32.159996] panic+0x22f/0x4de [ 32.163175] ? add_taint.cold.5+0x16/0x16 [ 32.167304] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.171782] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.176172] ? radix_tree_next_chunk+0xf9f/0xfb0 [ 32.180911] kasan_end_report+0x47/0x4f [ 32.184866] kasan_report.cold.7+0x76/0x2fe [ 32.189168] __asan_report_load4_noabort+0x14/0x20 [ 32.194087] radix_tree_next_chunk+0xf9f/0xfb0 [ 32.198659] ? debug_check_no_locks_freed+0x310/0x310 [ 32.203828] ? __lock_acquire+0x7f5/0x5140 [ 32.208044] ? __lock_acquire+0x7f5/0x5140 [ 32.212264] ? graph_lock+0x170/0x170 [ 32.216046] ? idr_preload+0x40/0x40 [ 32.219739] ? debug_check_no_locks_freed+0x310/0x310 [ 32.224905] ? debug_check_no_locks_freed+0x310/0x310 [ 32.230081] ? print_usage_bug+0xc0/0xc0 [ 32.234134] ? flush_plug_callbacks+0x553/0x7f0 [ 32.238789] ? print_usage_bug+0xc0/0xc0 [ 32.242836] ? bio_cur_bytes+0x1e0/0x1e0 [ 32.246876] ? mark_held_locks+0xc9/0x160 [ 32.251001] ? print_usage_bug+0xc0/0xc0 [ 32.255055] radix_tree_gang_lookup_tag+0x3d4/0x5f0 [ 32.260067] ? radix_tree_gang_lookup_slot+0x420/0x420 [ 32.265324] ? xfs_perag_get+0x600/0x600 [ 32.269375] ? kasan_check_read+0x11/0x20 [ 32.273511] ? rcu_is_watching+0x85/0x140 [ 32.277642] ? find_held_lock+0x36/0x1c0 [ 32.281689] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 32.286871] xfs_perag_get_tag+0x12d/0x7c0 [ 32.291097] ? xfs_perag_get+0x600/0x600 [ 32.295144] ? rcu_is_watching+0x85/0x140 [ 32.299269] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 32.304442] ? list_lru_count_one+0x27f/0x440 [ 32.308919] xfs_reclaim_inodes_count+0x82/0xb0 [ 32.313571] xfs_fs_nr_cached_objects+0x37/0x50 [ 32.318222] ? xfs_fs_free_cached_objects+0x80/0x80 [ 32.323228] super_cache_count+0x98/0x280 [ 32.327361] shrink_slab.part.39+0x330/0xf90 [ 32.331755] ? kswapd_cpu_online+0x1e0/0x1e0 [ 32.336155] ? shrink_active_list+0x17f0/0x17f0 [ 32.340810] ? kasan_check_read+0x11/0x20 [ 32.344939] ? rcu_is_watching+0x85/0x140 [ 32.349082] shrink_slab+0xa1/0xc0 [ 32.352603] shrink_node+0x4f2/0x1740 [ 32.356398] ? shrink_node_memcg+0x1910/0x1910 [ 32.360967] ? kvm_clock_read+0x25/0x30 [ 32.364932] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 32.369949] ? ktime_get+0x2d9/0x430 [ 32.373658] ? do_gettimeofday+0x170/0x170 [ 32.377872] ? graph_lock+0x170/0x170 [ 32.381655] ? print_usage_bug+0xc0/0xc0 [ 32.385708] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.391238] do_try_to_free_pages+0x3c9/0x1240 [ 32.395810] ? shrink_node+0x1740/0x1740 [ 32.399851] ? __lock_is_held+0xb5/0x140 [ 32.403892] try_to_free_mem_cgroup_pages+0x475/0xc50 [ 32.409060] ? pointer_string+0x1a0/0x1a0 [ 32.413185] ? try_to_free_pages+0xb30/0xb30 [ 32.417579] ? mutex_trylock+0x2a0/0x2a0 [ 32.421625] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 32.426797] ? memparse+0x168/0x1c0 [ 32.430400] ? get_options+0x360/0x360 [ 32.434269] ? kasan_kmalloc+0xc4/0xe0 [ 32.438133] ? __kmalloc+0x14e/0x760 [ 32.441825] ? __vfs_write+0x10b/0x880 [ 32.445693] memory_high_write+0x26e/0x2f0 [ 32.449913] ? mem_cgroup_css_released+0x140/0x140 [ 32.454840] ? graph_lock+0x170/0x170 [ 32.458635] ? kernfs_fop_write+0x227/0x480 [ 32.462936] ? lock_release+0xa10/0xa10 [ 32.467410] cgroup_file_write+0x317/0x820 [ 32.471624] ? mem_cgroup_css_released+0x140/0x140 [ 32.476532] ? init_and_link_css+0x880/0x880 [ 32.480919] ? __lock_is_held+0xb5/0x140 [ 32.484974] ? init_and_link_css+0x880/0x880 [ 32.489377] kernfs_fop_write+0x2ba/0x480 [ 32.493504] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 32.498067] __vfs_write+0x10b/0x880 [ 32.501757] ? kernfs_fop_open+0x1000/0x1000 [ 32.506155] ? kernel_read+0x120/0x120 [ 32.510028] ? __lock_is_held+0xb5/0x140 [ 32.514073] ? kasan_check_read+0x11/0x20 [ 32.518204] ? rcu_read_lock_sched_held+0x108/0x120 [ 32.523206] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.528724] ? __sb_start_write+0x17f/0x300 [ 32.533031] vfs_write+0x1f8/0x560 [ 32.536553] ksys_write+0xf9/0x250 [ 32.540074] ? SyS_read+0x30/0x30 [ 32.543515] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 32.548337] ? ksys_ioctl+0x81/0xd0 [ 32.551941] SyS_write+0x24/0x30 [ 32.555284] ? ksys_write+0x250/0x250 [ 32.559066] do_syscall_64+0x29e/0x9d0 [ 32.562930] ? vmalloc_sync_all+0x30/0x30 [ 32.567062] ? syscall_slow_exit_work+0x4f0/0x4f0 [ 32.571896] ? syscall_return_slowpath+0x5c0/0x5c0 [ 32.576807] ? syscall_return_slowpath+0x30f/0x5c0 [ 32.581726] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 32.587073] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.591893] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 32.597062] RIP: 0033:0x4428f9 [ 32.600237] RSP: 002b:00007ffe0bfab5c8 EFLAGS: 00000217 ORIG_RAX: 0000000000000001 [ 32.607933] RAX: ffffffffffffffda RBX: 0000000000000016 RCX: 00000000004428f9 [ 32.615181] RDX: 0000000000000001 RSI: 0000000020000000 RDI: 0000000000000004 [ 32.622425] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 [ 32.629678] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000000004 [ 32.637044] R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffe0bfab708 [ 32.644732] Dumping ftrace buffer: [ 32.648256] (ftrace buffer empty) [ 32.651941] Kernel Offset: disabled [ 32.655564] Rebooting in 86400 seconds..